Recent Posts

The scam involves a notice appearing on the wall of user profiles as a message from a friend, saying “Hey, I got a new facebook account. Im going to delete this one, so add my new profile” then with a link that appears to be a link to the new profile. The actual link goes to a URL on view-facebookprofiles.com, a domain registered (and whois protected) on Namecheap and hosted at Softlayer that looks identical to the Facebook login page:

Users fooled into resubmitting their Facebook details on this page then have their Facebook accounts hijacked and all of their contacts receive a similar message, propagating the phishing scam.

It’s not clear yet exactly what the phishing scammers are planning on using the compromised accounts for, or how far it has spread. One tipper claimed that many of his friends had been caught as well.

Article source

Software giant Microsoft warned on Friday that some customers have reported detecting attacks using Microsoft Word and a previously unknown vulnerability in Microsoft’s Jet database engine.

The attack uses an e-mail message with two attachments — a Word file and a Microsoft Jet database file — although Microsoft is investigating whether other programs could also be used, the company said in a security advisory published on Friday. While the software giant has stated that Microsoft database files (.mdb) should be considered unsafe, and do not execute automatically, under the attack conditions described in the latest attacks the database files does execute, security firm McAfee stated in its research blog.

“Up until recently attackers typically exploited MS Jet DB vulnerabilities through MDB files, and therefore Microsoft stuck to their ‘MDB files are unsafe’ story — well, that’s changed,” Craig Schmugar, senior antivirus researcher at security firm McAfee, wrote in the post.

Flaws in Microsoft’s Office productivity applications have become standard weapons for fraudsters conducting targeted attacks aimed at high-level managers and executives. While ten or fewer high-severity flaws were reported in the five major component applications of Microsoft Office each year from 2002 to 2006, at least 26 high-severity flaws were reported in Office applications last year, according to data from the National Vulnerability Database. Earlier this month, Microsoft patched a dozens flaws in Office applications.

Vulnerabilities in Microsoft Office have been used in industrial espionage and in attacks on government systems.

Microsoft is currently working on producing a patch for the flaw. The company recommended that companies either restrict Microsoft Jet Database from running or block .mdb files from being sent as attachments.

The vulnerability does not affect computers running Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1, the company stated.

Article source

The Gmail CAPTCHA has been cracked—albeit not easily—raising new concerns about spammers’ ability to abuse Google’s e-mail services. Websense Security Labs pointed out the security breach late last week, noting that spammers have a lot to gain by being able to use bots to automatically sign up for new accounts.

Google’s free e-mail services and a highly-desirable gmail.com domain—one that is unlikely to be blacklisted by anybody’s spam filters—are just two of the features that induced spammers to crack the CAPTCHA and have bots do all the work. On the upside, it apparently wasn’t easy—Websense says that it required two bot hosts to crack instead of just the one that recently cracked Windows Live Mail’s CAPTCHA (Websense believes that the same group was involved with both). It also believes that the two hosts are required because the first host may fail at cracking the code the first time around (and possibly time out), but the second host may also be required to check the work of the first. Additionally, only one in every five CAPTCHA-breaking requests on Gmail succeeded. Still, a 20 percent success rate is relatively high when you consider that spambots are trying to register hundreds (or thousands) of e-mail addresses at a time.

Article source

A group led by a Princeton University computer security researcher has developed a simple method to steal encrypted information stored on computer hard disks.

The technique, which could undermine security software protecting critical data on computers, is as easy as chilling a computer memory chip with a blast of frigid air from a can of dust remover. Encryption software is widely used by companies and government agencies, notably in portable computers that are especially susceptible to theft.

The move, which cannot be carried out remotely, exploits a little-known vulnerability of the dynamic random access, or DRAM, chip. Those chips temporarily hold data, including the keys to modern data-scrambling algorithms. When the computer’s electrical power is shut off, the data, including the keys, is supposed to disappear.

In a technical paper that was published Thursday on the Web site of Princeton’s Center for Information Technology Policy, the group demonstrated that standard memory chips actually retain their data for seconds or even minutes after power is cut off.

When the chips were chilled using an inexpensive can of air, the data was frozen in place, permitting the researchers to easily read the keys — long strings of ones and zeros — out of the chip’s memory.

“Cool the chips in liquid nitrogen (-196 °C) and they hold their state for hours at least, without any power,” Edward W. Felten, a Princeton computer scientist, wrote in a Web posting. “Just put the chips back into a machine and you can read out their contents.”

The researchers used special pattern-recognition software of their own to identify security keys among the millions or even billions of pieces of data on the memory chip.

“We think this is pretty serious to the extent people are relying on file protection,” Mr. Felten said.

The team, which included five graduate students led by Mr. Felten and three independent technical experts, said they did not know if such an attack capability would compromise government computer information because details of how classified computer data is protected are not publicly available.

Article source

Oxblood Ruffin shares word that Cult of the Dead Cow just launched a large-scale scanner project, Goolag.org:

“SECURITY ADVISORY: The following program may screw a large Internet search engine and make the Web a safer place.

Today CULT OF THE DEAD COW (cDc), the world’s most attractive hacker group, announced the release of Goolag Scanner, a Web auditing tool. Goolag Scanner enables everyone to audit his or her own Web site via Google. The scanner technology is based on “Google hacking”, a form of vulnerability research developed by Johnny I Hack Stuff. He’s a lovely fellow. Go buy him a drink.

“It’s no big secret that the Web is the platform”, said cDc spokesmodel, Oxblood Ruffin. “And this platform pretty much sucks from a security perspective. Goolag Scanner provides one more tool for Web site owners to patch up their online properties. We’ve seen some pretty scary holes through random tests with the scanner in North America, Europe, and the Middle East. If I were a government, a large corporation, or anyone with a big Web site, I’d be downloading this beast and aiming it at my site yesterday. The vulnerabilities are that serious.”

Goolag Scanner will be released open source under the GNU Affero General Public license. It is dedicated to the memory of Wau Holland, founder of the Chaos Computer Club, and a true champion of privacy rights and social justice.”

GOOLAG SCANNER FUNCTIONS AND FEATURES

GoolagScan is a standalone windows GUI based application.

* Configuration. gS uses one xml-based configuration file for its settings.

* Data-House-holding. All dorks coming with the distribution of gS are kept inside one file.

Article source

Researchers at Georgia Tech have published a paper on BotSniffer—a program they’ve designed to detect and disable botnets. Botsniffer is not the only bot-detection program available, but the Georgia Tech research team believes that the program’s approach to the botnet issue results in a better correlation rate and a lower number of false positives. BotSniffer is designed to detect botnets using either IRC or HTTP protocols, i.e., “push” or “pull” botnets. The program uses a detection method referred to as “Spatial-Temporal Correlation and Similarity” when searching for the presence of a botnet over the network.

Spatial-Temporal Correlation and Similarity relies on the assumption that all botnets, regardless of function, will have to communicate with a master node in order to receive updates and instructions. Unlike humans, botnets tend to communicate in a highly synchronized fashion. BotSniffer specifically watches for these type of “response crowd” communications. If a group of responses qualify as both consistent and synchronous, the systems in question are much more likely to be part of a botnet as opposed to a group of humans communicating with each other. Approaching the problem from this angle allows BotSniffer to theoretically detect the presence of a botnet even when overall network communication is low.

The developers of BotSniffer believe that this type of communication analysis is ultimately superior to methods that rely on signature checking, network-level traffic analysis, or approaches like BotHunter’s, which uses an intrusion-detection system. BotHunter cannot detect botnets when only fed IRC information, and it also relies on known signatures. Going forward, BotSniffer developers intend to implement what they refer to as an “activity response crowd homogeneity check,” a check that exams various features that multiple computers in a botnet might have in common.

Article source

That DRM is dying in the music arena is clear: the major labels are all on board with DRM-free music, and consumers have sent a message that DRMed music isn’t attractive. David Kravets over at Wired wrote a column last week that gave pause to those who want to break out the champagne: watermarks may take the place of DRM. Kravets is right: the music industry is investigating their use as means to police P2P usage, starting with Universal’s ongoing test.

The music industry is barking up the wrong tree, however, if it thinks that watermarking is a panacea for its problems. Watermarking can never really replace (let alone improve upon) DRM because watermarking is not a so-called “access control;” it’s an identification technology. Watermarking could be used to encode all manner of information into a digital recording (e.g., your name, a purchase date, etc.,), but it differs from DRM in that it isn’t designed to directly enforce how you use and don’t use content.

On account of watermarking not being an access control, there are no laws against circumventing it. While technically we’re all supposed to sit in fear of the DRM on our DVDs and run screaming from anyone who suggests that we bypass it, there’s nothing to compel users to not strip watermarks. The DMCA doesn’t address it. Yes, companies like Microsoft claim to have watermarking techniques that are stealthy and supposedly unbreakable. Raise your hand if you’ve ever heard of such promises amounting to, well, squat.

We all know how well the DMCA works: it doesn’t. Even when there are laws expressly forbidding users from circumventing access controls, as in the case of DRM, users do it nonetheless. How much weaker will a watermarking regime be if there’s not even the threat of prosecution for stripping it? “Congress will make it illegal,” you might say. Sure, OK, but why would it play out any different from the scenario with DRM? While I can’t see Congress enforcing watermarks in the wake of the problems caused by the DMCA, let’s say that they do. The backlash would be significant. While many people are irritated by DRM, there’s far more people concerned with privacy, and in some ways, music collections could become privacy threats in a worst case scenario. Motivation for hacking would be high, legal or not.

To make matters worse, watermarking suffers from many of the same practical flaws as DRM, too, in terms of stifling file sharing. It only takes one pristine, non-watermarked copy of something to leak out for it to proliferate. For watermarks to truly pinch file sharing, the music industry would have to make watermarking ubiquitous–something it couldn’t even accomplish with DRM. To make watermarking ubiquitous, the industry would need to find a way to convince consumers that having personally identifiable information embedded in their purchases is a great idea. It’s hard to see how “accept this so we can monitor you” is a great idea, although users might opt-in to such a thing if prices were lower, for example.

And without a doubt, watermarking could have a psychological effect on file sharing. If Joe User has a big collection of watermarked music, he might want to keep it under wraps for fear that copyright enforcers could easily determine his identity. Yet even then the risks are not yet clear. If a file bearing Joe User’s name shows up in a share in Texas and can’t be connected to Joe by means of an IP, it does not necessarily follow that a copyright violation has occurred on account of something Joe did. His machine could have been compromised, for instance, or perhaps Joe sold his music. Just as there are many legal problems today with the move from an IP address of an open share to a real human violating copyright law, so too would there be problems tying infringement to watermarked files.

Kravets notes that the industry could use watermark tracking to make a case for mandatory ISP filtering, and this is most certainly true. It also isn’t saying much because the industry will argue just about anything to promote such an end, including hyperbole that file sharing is among the most significant issues this country faces. It’s also not clear how 1,000 non-watermarked songs being shared online is any different from 1,000 watermarked songs in this regard.

The industry may turn to watermarks, but I for one am hoping that the next five years won’t be a rewind-then-play of the very costly failure of DRM. If a move to watermarking is made, and if that move ever comes to include embedding personally identifiable information in music for the purposes of suing citizens, then the decision to drop DRM won’t be nearly as enlightened as we all hope that it is. There may be a place for watermarking in the music business, but not if it’s meant to ratchet up the fight against file sharing by making it easier to sue people.

Article source